Black Hat 2010: Microsoft and Adobe collaborate to share vulnerability information

This is part of their increased collaboration and responsibility movement. Dave Forstrom, Director of Trustworthy Computing, told Infosecurity’s Eleanor Dallaway that “customers don’t care about vendor competition, they just want a scalable solution”. The collaboration, explains Forstrom and Brad Arkin, senior director of product security and privacy at Adobe, “answers an industry need for information sharing with the broader security community”.

“Patching after security updates were released wasn’t enough”, said Arkin. “We asked security providers how they wanted us to share our updates with them and they said that Microsoft was the gold standard. So we had two options – we could reinvent the wheel and try to do it alone, or join forces with Microsoft. This collaboration is a more efficient way of helping our customers. We’re really very excited about it”.

Adobe vulnerability and security updates, as of Autumn 2010, will run through the same channels as Microsoft. Protection providers are given the security updates in advance of Patch Tuesday, which “gives a leg up to the good guys”.

While Microsoft are currently focussed on rolling out this new collaborative work with Adobe, “once complete, we will be open to other collaborations”, said Forstrom.

Cyber Neighbourhood watch

Microsoft also announced its shift in mindset from ‘responsible disclosure’ to ‘coordinated vulnerability disclosure’. Forstrom explains why Microsoft have made this shift. “We need to focus on shared responsibility, as individuals, as companies. We need to re-focus on criminals as they are the common enemy.”

Customers are asking for faster protection and more guidance, says Forstrom, who described the concept as “community watch online”. He explained that individuals need to become the next line of defense. “Coordinated vulnerability disclosure means that when a vulnerability is found, the finder needs to work with the vendor to reduce the risk rather than amplify it.”

This concept, said Forstrom, has been happening for months and has lots of support from the broader community.

A free toolkit

Microsoft’s third and final announcement is the release of the Enhanced Mitigation Experience Toolkit – a free tool that helps block targeted attacks against unfixed vulnerabilities. “The product offers security mitigations for most third party and line of business applications and brings newer security mitigations to older Microsoft platforms and applications”, said Forstrom.

The tool will be freely available, and free of charge in August.


 

What’s hot on Infosecurity Magazine?